Smartphone Invader Tracks Your Every Move
Carrier IQ software, installed on more than 141 million mobile phones, tracks GPS location, websites visited, search queries, and all keys pressed.
by Mathew J. Schwartz  /  November 16, 2011

Software on many smartphones is tracking every move and website visited, without the knowledge of the phone’s user. And that information is being collected by a little known company, which could be sharing it with law enforcement agencies without requiring a subpoena and without keeping a record of the query.That’s among the conclusions that can be drawn from the discovery of a rootkit that’s running on a number of Verizon and Sprint phones, which tracks not just phone numbers dialed, but also the user’s GPS coordinates, websites visited, keys pressed, and many website searches, according to security researcher Trevor Eckhart. He discovered the rootkit after tracing suspicious network activity in a data center that he manages, and which he suspected related to a virus infection. But he traced the activity back to software made by Carrier IQ, which describes its “mobile service delivery” software as being a tool for measuring smartphone service quality and usage using software embedded in handsets. “The Carrier IQ solution gives you the unique ability to analyze in detail usage scenarios and fault conditions by type, location, application, and network performance while providing you with a detailed insight into the mobile experience as delivered at the handset rather than simply the state of the network components carrying it,” according to the website.

Carrier IQ software runs on 141 million handsets. In the United States, it ships installed by default on many handsets sold via Sprint and Verizon, and runs on a number of platforms, including Android, BlackBerry, and Nokia smartphones and tablets. Rather than carriers using Carrier IQ software to collect data and then store it themselves, it appears that Carrier IQ handles both the data collection and related analytics. According to the company’sprivacy and security policy, “information transmitted from enabled mobile devices is stored in a secure data center facility that meets or exceeds industry best practice guidelines for security policies and procedures.” The policy doesn’t detail those policies and procedures.

Eckhart said in an interview that the software is often configured by carriers to hide its presence from users. That means it functions per the Wikipedia definition of a rootkit: “Software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.” The software, however, doesn’t have to be stealthy. Eckhart said that the default version of Carrier IQ “makes its presence known by putting a checkmark in the status bar,” and can generate surveys if calls get dropped or browsers crash unexpectedly, to help engineers identify the underlying problem. Still, after reviewing public-facing training videos he found online, Eckhart said he was alarmed to see just how much data was being gathered by Carrier IQ, and how easily it could be searched en masse–all of which makes him suspicious about how the data is being used. “If this was just legit use, say monitoring dropped calls, why would all on/off switches be stripped and made completely invisible? Users should always have an option to ‘opt-in’ to a program. There are obviously other uses,” he said. “It is a massive invasion of privacy.”

Carrier IQ makes the information it collects available to its customers via a portal. Eckhart said in a blog post that “from leaked training documents we can see that portal operators can view and [search] metrics by equipment ID, subscriber ID, and more.” As a result, anyone with access to the portal can “know ‘Joe Anyone’s’ location at any given time, what he is running on his device, keys being pressed, applications being used,” he said. Carrier IQ spokeswoman Mira Woods said, “Our customers select which metrics they need to gather based on their business need–such as network planning, customer care, device performance–within the bounds of the agreement they form with their end users. These business rules are translated into a profile, placed on the device which provides instructions on what metrics to actually gather.” She said that all collected data gets transmitted by Carrier IQ to carriers using a “secure encrypted channel,” at which point they typically use it for customer service or analyzing network performance. “The further processing or reuse of this data is subject to the agreement formed between our customer and their end user (of the mobile device) and the applicable laws of the country in which they are operating,” she said.

One concern for privacy advocates, however, is that carriers apparently share information of the type collected by this software freely with law enforcement agencies. Notably, research published by privacy expert Christopher Soghoian in 2009 found that Sprint had shared customers’ GPS location information with law enforcement agencies more than 8 million times over a 13-month period. Sprint had also developed tools to automatically fulfill the large volume of law enforcement agency requests, which seem to occur in a legal gray area that results in none of the requests or shared data queries being recorded. Eckhart said the information being collected by Carrier IQ was even more expansive than what Sprint had shared in 2009. “We can see from the dashboard that GPS data can be viewed historically or in real time by date, time, whatever. That makes for a very efficient law enforcement portal, just like what’s detailed being blatantly abused in Soghoian’s article. It also relates to how Verizon is gathering info for their new ad tracking program,” he said. “Things like exact keypress data being stored as well shows this. What use would what words I’m typing ever be to ‘network performance’? Maybe words per minute would be useful, but it’s not that–it’s an exact record of what you are typing.”

Verizon has publicly acknowledged that it uses Carrier IQ statistics, both for mobile usage information (device location, app and feature usage, and website addresses, which may include search string) as well as consumer information (use of Verizon products and services, as well as demographic information, such as gender, age, and dining preferences). It also offers customers a way to opt out of this usage. Meanwhile, “Sprint is known to collect Carrier IQ data because users have the application running reporting to them, but have no privacy policy, retention policy, or public information on what they use the data for,” said Eckhart. But Sprint spokesman Jason Gertzen said via email that Sprint uses the information for diagnostic purposes. “Carrier IQ provides information that allows us to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring,” he said. “The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint.” Deactivating installed Carrier IQ software can be difficult, at least as implemented by many carriers. While Samsung Android devices offer a somewhat hidden Carrier IQ on/off switch, HTC Android devices offer no such feature. Accordingly, if you buy an ex-Sprint phone off of eBay and Carrier IQ software is installed, you’re being tracked, said Eckhart. But Carrier IQ’s Woods said that her company’s software is set to disable data collection if the device’s SIM card or mobile carrier changes.

How can you determine if the software is running on a device? “Logging TestApp scanner will detect it in the kernel–use ‘Check Props’ feature–as well as files used in the regular Loggers scan,” said Eckhart. He’s the developer behind Logging TestApp, which can also be used to reveal the Carrier IQ menus often hidden by carriers when they roll out the application. If Carrier IQ is found and isn’t wanted, deleting it can also be difficult. “The only way to remove Carrier IQ is with advanced skills. If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ,” he said. “Logging TestApp can identify files used in logging and you can manually patch or use [the] Pro version to automatically remove [them].”

Android expert Tim Schofield has also released a YouTube video showing how to remove Carrier IQ from the Samsung Epic 4G running Android Gingerbread 2.3.5, but warned that it would require flashing the ROM. “What [Carrier IQ] does is log things you do and send it to Sprint, so it’s like a spyware thing that you don’t want on your phone,” he said.

Samsung screenshots thanks to k0nane on XDA See the full post where he removed carrier IQ here


Carrier IQ defends against Android rootkits accusation
Handset makers and carriers to blame
by Lawrence Latif / Nov 17 2011

MOBILE ANALYTICS OUTFIT Carrier IQ is facing a growing firestorm over its secretive analytics software that is deeply embedded into mobile operating systems such as Google’s Android. Carrier IQ, which claims to provide ‘mobile intelligence’, has been accused of supplying rootkits that track user interactions on smartphones. Carrier IQ’s software is found on many operating systems including Google’s Android and records application runtimes, media playback, location satistics and when calls are received.

An investigation conducted by the smart chaps at XDA-Developers brought Carrier IQ’s activities to light, with the investigators labeling the software as a rootkit. It also found that stopping the service was not a trivial matter, since it’s hidden under several layers of abstraction.
Carrier IQ became aware of the growing backlash against its software and issued a release in which it claimed device manufacturers use its software to “improve the quality of the network, understand device issues and ultimately improve the user experience”. It went on to categorically deny that it was tracking keystrokes or providing tracking tools.
As for the data collected by Carrier IQ’s software, the firm went on to say, “Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements.”

Being fair to Carrier IQ, it is not secretly splicing in tracker-ware into its products like Sony did, rather carriers and handset makers are opting to include the software without informing users. The handset makers should be questioned as to their motives for including such software and asked to provide detailed documents listing what they collect, what they do with the information and how long the information is stored. Whatever the reason for including Carrier IQ’s software, the facts are that users were unaware of it and it is engineered to be extremely difficult to remove. Those facts alone are enough to warrant serious concern.

Carrier IQ markets its software as a "mobile service intelligence solution" on its Web site. "We give wireless carriers and handset manufacturers unprecedented insight into their customers' mobile experience."

Carrier IQ markets its software as a “mobile service intelligence solution” on its Web site. “We give wireless carriers and handset manufacturers unprecedented insight into their customers’ mobile experience.” (Credit: Carrier IQ)


by Elinor Mills /  November 17, 2011

Android developer Trevor Eckhart recently noticed something odd on several EVO HTC devices: hidden software that phoned home to the carrier with details about how the phone was being used and where it was. The software, Carrier IQ, tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information on how the device is used and when.

Eckhart discovered that Carrier IQ can be shown as present on the phone to users or configured as hidden, which was the case on the HTC phones he analyzed. And he found what he described as “leaked training documents” that indicate that carriers can view customer usage information via a remote portal that displays devices by equipment ID and subscriber ID. “The only way to remove Carrier IQ is with advanced skills,” Eckhart wrote in a report,published on the Web on Monday. “If you choose to void your warranty and unlock your bootloader you can (mostly) remove Carrier IQ.” Sprint, meanwhile, “has no privacy policy, retention policy, or public information on what they use the data for,” Eckhart wrote.

HTC Android devices have no on-off switch for Carrier IQ, while Samsung devices do, but it is not easily accessible or pointed out to users, he said. Because customers do not give explicit permission for this data collection and don’t even know this software is on their phones, and they can’t opt out of it, Eckhart says it is a clear privacy violation. He likens Carrier IQ to malware. “Carrier IQ is rootkit software,” he wrote in his report. “It listens on the phones for commands contained in ‘tasking profiles’ sent a number of ways and returns whatever ‘metric’ was asked for.”

According to Wikipedia, a rootkit is software “that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.” Typically, hackers install a rootkit onto a target system by exploiting a software vulnerability or using a stolen password. They are characterized by stealth and malicious purpose. Definitions aside, the types of data gathered is enough to set off alarms for privacy minded folk. “If it’s just for ‘network performance’ why wouldn’t they give users a choice?” Eckhart said in an e-mail to CNET late last night. “Any program logging this extent of personal information should always be opt-in.”

A Sprint spokesman provided a general statement about the use of Carrier IQ, but did not provide comment to follow-up questions about whether customers know about the data collection and why they can’t opt out. Here is the Sprint statement:

“Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint.

Sprint maintains a serious commitment to respecting and protecting the privacy and security of each customer’s personally identifiable information and other customer data. A key element of this involves communicating with our customers about our information privacy practices. The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service.”

Carrier IQ representatives said the data carriers collect with their software has a legitimate purpose and is handled responsibly. “We are collecting information that would be regarded by most people as sensitive,” Andrew Coward, vice president of marketing for Carrier IQ, told CNET today. “So we work within the network of the operator or in the facilities [they approve] and which are up to their standards as far as data retention” and encryption.

Mountain View, Calif.-based Carrier IQ launched six years ago expressly to offer software that serves as an “embedded performance management tool,” he said. “This has caught us off guard in that the technology has been around a long time,” he added. “We’re in the business of counting things that happen on the phone to help carriers improve service.” For example, knowing exactly where a phone call was dropped can help a carrier identify network troubles in a geographic location. “We do want to know when you’ve had a dropped call, if an SMS didn’t work and if you’ve got battery life problems,” Coward said.

Information on keys that are pressed and how many times the phone is charged can provide activity information over the life of a phone, which is important for device manufacturers, he said. “We are not interested and do not gather the text or the text message and do not have the capacity to do that,” he said. Processing specific data like that from millions of devices would be impractical to do, he said. In addition, the data logged is not real-time in Carrier IQ, which diminishes its usefulness, and carriers have other ways of getting sensitive user data if they want, according to Coward. “You can’t make a phone call on the mobile network without them knowing where you are,” he said. “Our customers believe that they have obtained permission from their customers to gather this performance data.”

But Eckhart questioned the legality of carriers collecting keypresses and some of the other information. “As far as Sprint, the data they are logging is very personal,” he said in his e-mail. “How do we know who is getting this? Every customer service personnel? Law enforcement? Is my location and browsing history stored forever?”

It’s unclear what devices have Carrier IQ software installed. Coward said Carrier IQ is used by more than a dozen device manufacturers, including smartphones and tablets, but he declined to name the companies or devices. Eckhart names HTC, Samsung, Nokia, BlackBerry, Sprint, and Verizon in his report on Carrier IQ. HTC did not respond to requests for comment and a Samsung representative said she would try to get comment. But a Verizon representative said the company does not use Carrier IQ on its devices and Coward confirmed that. (Eckhart’s report linked to this Verizon Web page that talks about collecting data on phone location, Web sites visited and other information.) Eckhart did not immediately respond to e-mails and phone calls seeking a follow-up interview today. In the paranoid world of security researchers, the notion of privacy is nine-tenths perception and potential. Carriers should make it clear what data they are collecting and what benefit doing so provides to the customers. And, if possible, it should be opt in.


Responding to the US Senate request lead by Senator Al Franken, AT&T, Sprint, HTC, and Samsung have sent the list of all the phones with Carrier IQ spyware installed in them.

The carriers have also admitted that Carrier IQ also captured the content of text messages “under certain conditions.”

Here’s the complete list:

AT&T claims about 900,000 users using phones with Carrier IQ. The software is active on eleven AT&T wireless consumer devices:

• Motorola Atrix 2
• Motorola Bravo
• Pantech Pursuit II
• Pantech Breeze 3
• Pantech P5000 (Link 2)
• Pantech Pocket
• Sierra Wireless Shockwave
• LG Thrill
• ZTE Avail
• ZTE Z331
• SEMC Xperia Play

It’s also installed but not active “due to the potential for the software agent to interfere with the performance” of the following phones:

• HTC Vivid
• LG Nitro
• Samsung Skyrocket

Carrier IQ is also packaged in the free AT&T Mark the Spot application, available for Android and RIM.

26 million active Sprint devices have the Carrier IQ software installed, says Sprint. That’s almost half of all their subscribers, 53.4 million customers, so you can assume that they have it installed in all the Android phones of the manufacturers Sprint reported to the US senate:

• Audiovox
• Franklin
• Huawei
• Kyocera
• LG
• Motorola
• Novatel
• Palmone
• Samsung
• Sanyo
• Sierra Wireless

Samsung claims 25 million phones affected. It has directly installed Carrier IQ at the factory in the following models:

• SPH-M800 (Samsung Instinct)
• SPH-M540 (Samsung Rant)
• SPH-M630 (Samsung Highnote)
• SPH-M810 (Samsung Instinct s30)
• SPH-M550 (Samsung Exclaim)
• SPH-M560 (Samsung Reclaim)
• SPH-M850 (Samsung Instinct HD)
• SPH-I350 (Samsung Intrepid)
• SPH-M900 (Samsung Moment)
• SPH-M350 (Samsung Seek)
• SPH-M570 (Samsung Restore)
• SPH-D700 (Samsung Epic 4G)
• SPH-M910 (Samsung Intercept)
• SPH-M920 (Samsung Transform)
• SPH-M260 (Samsung Factor)
• SPH-M380 (Samsung Trender)
• SPH-M820 (Samsung Galaxy Prevail)
• SPH-M580 (Samsung Replenish)
• SPH-D600 (Samsung Conquer 4G)
• SPH-M930 (Samsung Transform Ultra)
• SPH-D710 (Samsung Epic 4G Touch)
• SPH-M220
• SPH-M240
• SPH-M320
• SPH-M330
• SPH-M360
• SPH-P100
• SPH-Z400

•T989 (Samsung Hercules)
•T679 (Samsung Galaxy W)

• SCH-R500 (Samsung Hue)
• SCH-R631 (Samsung Messager Touch)
• SCH-R261 (Samsung Chrono)
• SCH-R380 (Samsung Freeform III)

• SGH-i727 (Samsung Galaxy S II Skyrocket)

HTC preinstalled Carrier IQ spyware on about 6.3 million Android phones:

• Snap
• Touch Pro 2
• Hero
• EVO 4G
• EVO Shift 4G
• EVO Design

• Amaze 4G

• Vivid

What is Carrier IQ?
Carrier IQ logs information about your whereabouts as well as other personal data such as browsing history, application usage and phone numbers.

The Carrier IQ application also captures the content of your text messages, according to AT&T. This happens when you are talking on the phone and you sned or receive a text message: “the CIQ software also captured the content of SMS text messages—when and only when—such messages were sent or received while a voice call was in progress.” [US Senator Al Franken’s responseAT&T Response (PDF)Sprint Response (PDF)Samsung Response (PDF)HTC Response (PDF)CarrierIQ response (PDF), via Verge and Business Week]